---
id: 47d9cbab-c29c-43e4-940a-8120d6e99580
---

# Apache Server Side Includes (SSI) Injection Incident.
---

Apache Server Side Includes (SSI) Injection is a security incident that happens when an attacker injects malicious code or scripts in the server-side includes of an Apache web server. This vulnerability allows the attacker to execute arbitrary code or commands on the server, leading to unauthorized access, data loss, or other security breaches. This type of incident can be prevented by implementing secure coding practices, using input validation and sanitization techniques, and keeping web servers updated with the latest security patches.

### Parameters
```shell
export PATH_TO_APACHE_CONFIG="PLACEHOLDER"

export APACHE_PORT="PLACEHOLDER"

export PATH_TO_APACHE_ACCESS_LOG="PLACEHOLDER"

export PATH_TO_APACHE_ERROR_LOG="PLACEHOLDER"

export PATH_TO_HTDOCS="PLACEHOLDER"

export PATH_TO_BACKUP_CONFIG="PLACEHOLDER"

export PATH_TO_APACHE_CONF_FILE="PLACEHOLDER"
```

## Debug

### Check the Apache configuration file for SSI support
```shell
grep -i "ssi" ${PATH_TO_APACHE_CONFIG}
```

### Check if the Apache server is running and listening on the expected port
```shell
systemctl status apache2.service

sudo netstat -tuln | grep ${APACHE_PORT}
```

### Check the Apache access log for any suspicious requests
```shell
tail -f ${PATH_TO_APACHE_ACCESS_LOG}
```

### Check the Apache error log for any SSI-related errors
```shell
tail -f ${PATH_TO_APACHE_ERROR_LOG} | grep -i "ssi"
```

### Check if there are any unauthorized modifications to SSI-enabled files
```shell
find ${PATH_TO_HTDOCS} -name "*.shtml" -exec grep -Hn "<!--#" {} \;
```

### Check for any unauthorized modifications to critical system files
```shell
sudo find / -name "*.php" -exec grep -Hn "system(" {} \;
```

### Check if there are any unauthorized modifications to the Apache configuration file
```shell
diff ${PATH_TO_APACHE_CONFIG} ${PATH_TO_BACKUP_CONFIG}
```

### Check if any unauthorized users have SSH access to the server
```shell
grep -i "ssh" /var/log/auth.log
```

## Repair

### Update the Apache configuration file to disable the use of Server Side Includes (SSI) and only allow the use of certain safe directives.
```shell


#!/bin/bash



# Define variables

APACHE_CONF_PATH=${PATH_TO_APACHE_CONF_FILE}



# Update Apache configuration file

sed -i 's/^\s*AddHandler\s+.*\s+ssi\s*$/# AddHandler cgi-script .cgi/' "$APACHE_CONF_PATH"

sed -i 's/^\s*Options\s+.*\s+Includes\s*$/Options -Includes/' "$APACHE_CONF_PATH"


```

Apache Server Side Includes (SSI) Injection is a security incident that happens when an attacker injects malicious code or scripts in the server-side includes of an Apache web server. This vulnerability allows the attacker to execute arbitrary code or commands on the server, leading to unauthorized access, data loss, or other security breaches. This type of incident can be prevented by implementing secure coding practices, using input validation and sanitization techniques, and keeping web servers updated with the latest security patches.


This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

This incident type refers to a security vulnerability in the SSL/TLS configuration of the Apache HTTP Server, which can leave the server and its users vulnerable to attacks. The SSL/TLS configuration is responsible for encrypting the communication between the server and its clients, and if it is not configured properly, it can be exploited by hackers to intercept or modify sensitive data. This type of incident requires immediate attention from software engineers to ensure that the SSL/TLS configuration is properly configured to prevent any potential security threats.


Inadequate SSL/TLS Configuration for Apache HTTP Server.

This incident type refers to a distributed denial-of-service (DDoS) attack on an Apache HTTP server. In a DDoS attack, a large number of requests are sent to the server, overwhelming its capacity to respond to legitimate requests. This can cause the server to become inaccessible to users and disrupt normal operations. Apache HTTP Server is a popular open-source web server software used by millions of websites, making it a common target for cyber attacks.


DDoS Attack on Apache HTTP Server.

```shell
export PATH_TO_APACHE_CONFIG="PLACEHOLDER"

export APACHE_PORT="PLACEHOLDER"

export PATH_TO_APACHE_ACCESS_LOG="PLACEHOLDER"

export PATH_TO_APACHE_ERROR_LOG="PLACEHOLDER"

export PATH_TO_HTDOCS="PLACEHOLDER"

export PATH_TO_BACKUP_CONFIG="PLACEHOLDER"

export PATH_TO_APACHE_CONF_FILE="PLACEHOLDER"
```


### Check the Apache configuration file for SSI support

```shell
grep -i "ssi" ${PATH_TO_APACHE_CONFIG}
```

### Check if the Apache server is running and listening on the expected port

```shell
systemctl status apache2.service

sudo netstat -tuln | grep ${APACHE_PORT}
```

### Check the Apache access log for any suspicious requests

```shell
tail -f ${PATH_TO_APACHE_ACCESS_LOG}
```

### Check the Apache error log for any SSI-related errors

```shell
tail -f ${PATH_TO_APACHE_ERROR_LOG} | grep -i "ssi"
```

### Check if there are any unauthorized modifications to SSI-enabled files

```shell
find ${PATH_TO_HTDOCS} -name "*.shtml" -exec grep -Hn "<!--#" {} \;
```

### Check for any unauthorized modifications to critical system files

```shell
sudo find / -name "*.php" -exec grep -Hn "system(" {} \;
```

### Check if there are any unauthorized modifications to the Apache configuration file

```shell
diff ${PATH_TO_APACHE_CONFIG} ${PATH_TO_BACKUP_CONFIG}
```

### Check if any unauthorized users have SSH access to the server

```shell
grep -i "ssh" /var/log/auth.log
```

### Update the Apache configuration file to disable the use of Server Side Includes (SSI) and only allow the use of certain safe directives.

```shell


#!/bin/bash



# Define variables

APACHE_CONF_PATH=${PATH_TO_APACHE_CONF_FILE}



# Update Apache configuration file

sed -i 's/^\s*AddHandler\s+.*\s+ssi\s*$/# AddHandler cgi-script .cgi/' "$APACHE_CONF_PATH"

sed -i 's/^\s*Options\s+.*\s+Includes\s*$/Options -Includes/' "$APACHE_CONF_PATH"


```


Apache Server Side Includes (SSI) Injection Incident.

Overview

Parameters

Debug

Check the Apache configuration file for SSI support

Check if the Apache server is running and listening on the expected port

Check the Apache access log for any suspicious requests

Check if there are any unauthorized modifications to SSI-enabled files

Check for any unauthorized modifications to critical system files

Check if there are any unauthorized modifications to the Apache configuration file

Check if any unauthorized users have SSH access to the server

Repair

Update the Apache configuration file to disable the use of Server Side Includes (SSI) and only allow the use of certain safe directives.

Learn more

Related Runbooks

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Apache SQL Injection Attempts in URI Incident

Inadequate SSL/TLS Configuration for Apache HTTP Server.

Support